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Abstract — It is known that Tardos's collusion-secure proba- 
bilistic fingerprinting code (Tardos code; STOC'03) has length 
of theoretically minimal order with respect to the number of 
colluding users. However, Tardos code uses certain continuous 
probability distribution in codeword generation, which creates 
some problems for practical use, in particular, it requires large 
extra memory. A solution proposed so far is to use some finite 
probability distributions instead. In this paper, we determine the 
optimal finite distribution in order to decrease extra memory 
amount. By our result, the extra memory is reduced to 1/32 of 
the original, or even becomes needless, in some practical setting. 
Moreover, the code length is also reduced, e.g. to about 20.6% 
of Tardos code asymptotically. Finally, we address some other 
practical issues such as approximation errors which are inevitable 
in any real implementation. 

Index Terms — Collusion-secure code, Tardos code, memory 
optimization, digital rights managements 



I. Introduction 

RECENT progress in information technology has enabled 
us to handle easily commercial objects (such as movies, 
musics, customers' data) in a digital form. This increased 
our convenience dramatically, however as the amount of such 
digital contents constantly grows, information leakage and 
counterfeiting, in particular those caused by authorized users, 
have become a serious concern. Prevention of such illegal 
copying is often difficult by either technological or social 
reason. An alternative solution is to embed user identification 
information into each content by watermarking technique, 
making the guilty user (called a "pirate") traceable from the 
leaked content without decreasing convenience for innocent 
users too much. For this purpose, it was pointed out (0]) 
that the embedded information should be designed securely 
against "collusion-attacks", that is a kind of modification 
of embedded information by a group of pirates. A c-secure 
code provides such identification information which is secure 
against c pirates or less. 

It is known that Tardos's probabilistic c-secure code lfl2l 
(Tardos code) has length of theoretically minimal order among 
all possible c-secure codes with respect to c. The frequency 
of Os and Is in the codewords is decided by outputs of 
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certain probability distribution, which is referred to as the 
bias distribution in this paper. Tardos's work is a milestone in 
this research area because of the theoretical impact, however 
there are some hurdles for practical implementation, due to 
the property that Tardos's bias distributions are continuous. An 
explicit implementation of continuous distributions would be 
impossible, while effects of approximation of bias distributions 
on the security performance have not yet been evaluated. 
Moreover, (approximated values of) the outputs of the bias 
distribution, which should be of high accuracy to make the 
code c-secure, are supposed to be recorded throughout. Thus 
large amount of extra memory is required for a practical use. 

A simple solution is to replace the continuous bias distri- 
butions with finite ones. For instance, a bias distribution with 
4 possible outputs needs only 2 bits of memory to record one 
output, i.e. to record "which of the four". This solution was 
first explored by Hagiwara, Hanaoka and Imai in |6|; they 
established a formula of sufficient code length in terms of 
a given (finite) bias distribution and desired security perfor- 
mance. They also proposed a "c-indistinguishability" condition 
for suitable bias distributions, with three concrete examples 
that reduce the code lengths to about 60% of Tardos codes. 
However, it has not yet been discussed whether their choice of 
bias distributions is optimal for the purpose of reducing extra 
memory amount. Moreover, a problem concerning practical 
implementation is left unsolved as well: their code requires 
calculation of some "score" of each user, which cannot be 
explicitly representable in general by usual number systems 
on computers (e.g. floating-point numbers), however effects 
of approximation of scores have not been evaluated so far. 

The aim of this paper is to solve the abovementioned prob- 
lems. First, we exhibit a strong evidence that the code lengths 
decrease substantially due to c-indistinguishability condition. 
Thus, we may restrict our attention to bias distributions 
satisfying this condition. Secondly, we determine the set of c- 
indistinguishable bias distributions, together with the set of the 
optimal ones among them (namely, those with minimal number 
of possible outputs). We show that the optimal distribution 
has only [c/2] possible outputs, where \x~\ denotes as usual 
the smallest integer n with x < n; thus only |~log 2 |~c/2]~|- 
bits memory are required to record one output. (Table U 
gives a numerical example, where bias distributions for Tardos 
codes are approximated by single-precision binary floating- 
point numbers.) This shows that our result reduces the extra 
memory amount significantly; in particular, it even makes such 
extra memory needless when c = 2. Moreover, we improve 
the code length formula in [6| to reduce code lengths further 
and to evaluate effects of approximation of users' scores. The 
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Fig. 1. Ratio of code lengths relative to Tardos codes 



combination of our new formula and our optimal distributions 
provides much shorter code lengths than Tardos codes and than 
J6) (see Figure [T). We also investigate the asymptotic behavior 
of our code length; the ratio of our code length relative to 
Tardos code converges to about 20.6% as c — > oo. 

TABLE I 

A COMPARISON OF REQUIRED EXTRA MEMORY AMOUNT 



Case 1: 2 pirates, 200 users, error probability < 10 
Case 2: 4 pirates, 400 users, error probability < 10 — 1 





bits / position 


code length 


total bits 


Case 1 


Tardos 


32 


12 400 


396 800 


Ours 





6278 





% 





50.6 





Case 2 


Tardos 


32 


51200 


1 638 400 


Ours 


1 


19 750 


19 750 


% 


3.1 


38.6 


1.2 



This paper is organized as follows. After some preliminary 
(Section on the model of c-secure codes, some preceding 
works, problems and notations, we observe in Section [III] 
the importance of the c-indistinguishability condition. Section 
IIV-AI shows some properties of c-indistinguishable distribu- 
tions; Section IIV-BI determines the set of c-indistinguishable 
distributions; and Section IIV-CI determines the set of the 
optimal distributions. Section IV-AI gives our improvement 
of the code length formula established in [6|; Section IV-BI 
investigates the asymptotic behavior of our code length; and 
Section IV-CI provides some numerical examples. We give 
remarks on some recent related works in Section [VI] Finally, 
Appendices are given and devoted to the proofs of some of 
our results. 

II. Preliminaries 

A. Our Model for Collusion-Secure Codes 

In this subsection, we describe our model for collusion- 
secure codes. In our model, a content server embeds a binary 
codeword Wi — . . . , u"i,m) of length m into a digital 

content, which will be distributed to i-th user Ui, by certain 
watermarking technique. Pirates, who are the adversarial users 
attacking the code, then make an illegal copy of the distributed 
content which involves a codeword possibly modified by them. 
When the illegally copied content is found, the content server 
first extracts the embedded codeword y = (yi, . . . , y m ) (called 
the pirated codeword). Some bits y,j in y may be broken and 
hence not decodable; such a bit is denoted by '?'. Then the 
server executes a tracing algorithm for detecting the pirates, 
with the y and all the tUjS as input. 



Regarding the attack model, we assume that £ pirates try to 
detect the positions of (parts of) the embedded codeword from 
differences of their contents, and then to modify bits of the 
codeword in these positions by some (possibly probabilistic) 
algorithm, called a pirates' strategy. This attack model is 
formulated as the following assumption, which was originally 
introduced in HI and has been adopted in most of the 
preceding works (e.g. (T), (6), lfl2l ): 

Assumption 1 (Marking Assumption): If all the bits 
Wij j, . . . ,Wi t .j in codewords of the pirates u^, . . . ,Ui e at 
the same, say j-th position coincide (we call such a position 
undetectable), then yj = Wi lt j. 
Moreover, we also put the following assumption: 

Assumption 2 (Pirates' Knowledge): Pirates have no infor- 
mation on the actual choice of innocent (i.e. non-pirate) users' 
codewords, other than their a priori distribution which may be 
publicly known. As a result, the choice of y is independent of 
those codewords. 

To discuss the security performance of our codes, we fix the 
meaning of the following terms: false-negative means that the 
tracing algorithm outputted no pirates; false-positive means 
that the tracing algorithm outputted at least one innocent 
user; tracing error means that false-negative or false-positive 
(or possibly both) occurs. A code equipped with a tracing 
algorithm is called c-secure (with e-error) if the tracing error 
probability is bounded by a negligibly small value e provided 
the number of pirates is at most c. 

B. Tardos Code and Its Generalization 

In this subsection we summarize the code construction 
and tracing algorithms of c-secure Tardos code lfl2l and its 
generalization given in [6| as follows. First, the content server 
is supposed to choose the random values < < 1 

independently for every 1 < j < m, according to a given 
probability distribution V which we refer to as the bias 
distribution. (Details for the choices of V in these codes are 
irrelevant here and hence omitted; see the original papers for 
details.) Here we only treat the bias distributions whose output 
values are in the open interval (0, 1) and which are symmetric 
in the following sense; we have 

ProbdV's output) 64) = Prob^T's output) el — A) 

for any subset A of the interval (0, 1), where Prob signifies the 
probability and 1— A = {1— a | a 6 A}. (When V is finite, it is 
symmetric in this sense if and only if it outputs a and 1— a with 
the same probability for any a.) The resulting sequence P = 
(p^ , • • • , p*" 1 -*) should be stored and be kept secret throughout 
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the scheme: due to Assumption [2] pirates may be allowed to 
guess the values p^' from public information on V and the 
pirates' codewords, but not to know about the actual choices 
of pW, Then, secondly, the server chooses each codeword Wi 
in the following probabilistic manner: Prob(uii i j = 1) = p^ 
and Prob(wij = 0) = 1 — p^ for j-th position. All the bits 
Wij are supposed to be independently chosen. 

In the tracing algorithm, the server calculates a score Si of 
each user Ui by Si — Y^j=i i > where 

(*(pW) if ( yj ,w id ) = (l,l) , 

S^ = l-a(l-p^) if (y j ,w id ) = {l,0) , 

[o if y 3 e {0,?} , 

with a{p) = p)jp for < p < 1. The output of the 

tracing algorithm is then the (possibly empty) list of all users 
Ui with Si > Z, where Z is a suitably selected threshold 
parameter. Details of the choices of Z are also omitted here. 

C. Problems 

A problem of Tardos code is, as we mentioned in the 
Introduction, that the bias distribution V used in his codeword 
generation is continuous. An explicit implementation of such 
a V seems to be impossible. Moreover, even if we would 
like to approximate this V, e.g. by floating-point numbers, 
the original security proof does not concern effects of such 
inevitable approximation; and large amount of extra memory 
is required to record the approximated values of V since these 
values should be of high accuracy to make the code c-secure. 

A solution proposed in [|6) is to use suitable finite bias 
distributions instead. They gave formulae of code length 
and threshold parameter corresponding to a given finite bias 
distribution V, making the code c-secure. Moreover, by ob- 
serving the form of their formula, they also proposed a "c- 
indistinguishability" condition for V which would be effective 
to reduce the code lengths. 

However, regarding abovementioned memory problem, the 
following question remained open: Is their choice of V optimal 
in terms of required memory? Moreover, although the users' 
scores are irrational numbers in general, effects of approxima- 
tion of scores on the tracing error probability has not yet been 
discussed. In the rest of this paper, we give solutions for these 
problems. 

D. Notations 

This subsection summarizes some notations used throughout 
this paper. First, let the following expression 

{(val, prob) \ cond} 

signify the probability distribution such that a value val is 
taken with probability prob, where val and prob vary subject 
to the condition cond. Given a finite bias distribution V, let 
Po,Pi, ■ ■ ■ ,Pk denote the possible outputs in increasing order 
and write qi = Prob(V outputs pi); thus pk-i = 1 — Pi and 



<Zfc-i = <Zi by the symmetry of V . For 1 < i < c and < x < 
I, define functions fe, x (p) and ge,x(p) for < p < 1 by 

h, x {p)=p x {l-pf- x {xa(j>) - (l-x)a(l-p)) , 
gi , x (p) = xf-Hl - pf- x -(£- x)p*(l - pf-*- 1 , 

where 

c(p) = Vi 1 - P)/P ■ 

These two functions satisfy the following relation fi. x (p) = 
9e,x(p)y/p(l-p)- Put 

R iiX = max{0, E p [ft, x (p)]} , 

where E p signifies the expected value over outputs p of V. 
Define a function r(t) by 

r(t) = (e* - 1 - t)/t 2 for t > , 

and let 

/A 

n LV - E p [-f t ,o(p)] - [ Ri,x for 1 < I < c . 

x=l 

Moreover, log = log e denotes the natural logarithm, and \x\ 
denotes the smallest integer n such that n > x. 

III. A Characterization of the 

C-INDISTINGUISHABILITY 

Before solving the problems mentioned in Section III-C1 we 
investigate the c-indistinguishability condition for bias distri- 
butions proposed in [6]. This condition was introduced for the 
purpose of reducing code lengths determined by the formula 
given in [6|; however, it has not yet been discovered how 
much this condition contributes to decreasing the true tracing 
error probability (and hence to reducing the code length). This 
section exhibits a strong evidence that this condition is in fact 
substantial for decreasing the error probability. 

First, we recall from @ the following definition of the c- 
indistinguishability condition (see Section Hl-DI for notations): 

Definition 1: A (finite) bias distribution V is called c- 
indistinguishable, or c-ind in short, if X) x =i {x)^ e ^ x ~ ^ ^ or 
all 2 < i < c. 

Remark 1: Since the value Rg. x is always nonnegative 
by definition, this condition is equivalent to Ri, x = (or 
equivalently, E p [ft, x (p)] < 0) for all 2 < I < c and 
1 <x < I- 1. 

Then we show that all attack strategies have the same 
efficiency on average and only if V is c-ind. This claim 
implies a substantial significance of the c-ind condition. 

We start with an arbitrary finite bias distribution V. Let 
u\, . . . , U£ (where I < c) be the pirates and w\,...,wt 
their codewords. The pirates would hope none of them being 
outputted by the tracing algorithm, therefore they would try to 
create the pirated codeword y so that all of their scores will 
be as small as possible. For this purpose, it is necessary for 
the sum S of their scores to be small. By the definition of 
the tracing algorithm, S can be decomposed as S = S' + S", 
where S' denotes the sum of pirates' bitwise scores over the 
undetectable positions, which is independent of the pirates' 
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strategy due to Marking Assumption (Assumption 0, and S" 
is the sum over the remaining positions j with yj = 1. 

Now for 1 < j < m and I C {1,2,..., £}, let Bi denote 
the event that Wij = 1 for i E I and Wij — for i $ I, 
and let B'j be the event that Bi occurs and yj = 1. Then 
the contribution of j-th position of their codewords for S" 
under the event B\ (where 7^0 and / ^ {1, ...,£}) is 
xa(p^) — (£— x)a(l-p^), where x — \I\. Thus its expected 
value conditioned on B\ over the choices of pV> is given by 

J2 ProbipM = p | B'j)(xa(p) -{I- x)a{\ - p)) , (1) 
p 

where the sum is taken over all possible outputs p of V. 
Under this setting, our claim is expressed as the following 
proposition, whose proof is postponed until the end of Section 
IIV-AI since it requires some results given in that section: 

Proposition 1: The expected value (0 is always if and 
only if V is c-indistinguishable. 

Based on this observation, we restrict our attention to c-ind 
bias distributions from now on. 



IV. The Optimal Bias Distribution 
A. Properties of the c-Indistinguishability Condition 

In this subsection, we investigate properties of the c- 
indistinguishability condition as a preliminary for the follow- 
ing sections. Proofs will be given in Appendix lAl 

Let V be a (finite) bias distribution. First, a straightforward 
observation can show that ge.e- x (p) — —ge. <x {l — p) and 
fe,e-x(p) = —fi,x(l — p)> therefore by symmetry of V we 
have 

E P [f t ,e- x (p)} = -E p [f e<x {l - p)] = -E p [h, x (p)\ . (2) 

This infers the following result concerning the case when a 
bias distribution becomes c-ind: 

Proposition 2: Let V be a (finite) bias distribution. 

1) V is c-ind if and only if 



E p [f e , x (p)} = 



(3) 



for any 2 < £ < c and 1 < x < £ - 1. 

2) If £ is even, then (0 always holds for x = £/2. In 
particular, V is always 2-ind (cf. [6, Proposition 1]). 

3) Condition 0) holds for an £ and x = xq if and only if 
01 holds for this £ and x = I — xq. 

The following recursive relations for fa iX and gi^ x are key 
ingredients of our argument in this section: 

Lemma 1: We have fe-i, x (p) = fe, x (p) + fe,x+i{p) and 
9£~i.x(p) = ge.x(p) + ge,x+i(p) for < x < £ - 1. 

From this lemma, we derive the following properties. First, 
the next proposition says that the c-ind condition simplify the 
value IZe.-p and makes it positive: 

Proposition 3: If V is a c-ind distribution, then we have 



En 



y/p(l-p) 



> for 1 < £ < c. 
Secondly, the next lemma reduces the complexity to deter- 
mine whether a given bias distribution is c-ind: 

Lemma 2: If the condition Q is satisfied for any two of 
the three pairs of parameters (£, x) — (£' — l,x'), (£',x') 



and (£',x' + 1), then this condition is also satisfied for the 
remaining one. 

Now we are able to prove the following result, which can 
be seen as a generalization of [6, Proposition 1] since any bias 
distribution is 1-ind by definition: 

Proposition 4: If c is odd, then any c-ind bias distribution 
is also (c + l)-ind. 

Moreover, the following criterion of the c-ind condition is 
deduced from the above results: 

Proposition 5: Let c > 3, and let c' denote the largest odd 
number such that c' < c. 

1) If (0 is satisfied for all parameters of the form (£. x) — 
{d, x) with 1 < x < {d - l)/2, then V is c-ind. 

2) If V is (c' — 2)-ind and (01 is satisfied for at least one 
parameter of the form (c', xq) with 1 < xq < c' — 1, then 
V is also c-ind. In particular, V is c-ind if for each odd 
number £ with 3 < £ < c', the condition (0 is satisfied 
for at least one parameter of the form (£,xg). 

At the end of this subsection, we give the postponed proof 
of Proposition Q] in Section [HI] 

Proof of Proposition First, since the value p^' is 
assumed to be secret for the pirates, the conditional probability 
Prob{yj = 1 | Bi A (p^> = p)) is constant on outputs p of 
V, which is equal to Prob(yj — 1 | Bj). On the other hand, 
we have 

Prob(Bi | p {j) =p)=p x (l- pf- x 
by the codeword generation. Thus by putting 

C = Prob(y 3 = 1 | Bi)lProb(B'i) , 

we have 

Prob{p {3) = p\B' I )=C- Prob{{p {j) = p) A 6/) 

= C ■ Prob(pW = p)p x {\ - p) l ~ x 

since B\ = [Bi A (yj = 1)), therefore (0 is equal to 

C^ProKp^ = p)ft, x (P) = C-E p [f e>x (p)] . 
p 

Thus by Proposition this value is always regardlessly of 
the pirates' strategy if and only if V is c-ind. ■ 

B. Determining c-Indistinguishable Distributions 

In this subsection, we determine all the c-ind bias distribu- 
tions V for every c, by proving in Theorem below that the 
c-ind bias distributions are in one-to-one correspondence with 
objects defined as follows: 

Definition 2: We refer to a pair Q = (X, lu) of a finite 
subset X of the open interval (—1,1) and a positive function 
lu > on X as a quadrature system, or a QS in short, of 
degree d if we have 

/ F(t)dt = (4) 

for any real polynomial F(t) of degree less than or equal to d. 
We refer to the size \X\ of X as the order of Q, and we say 
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that Q is symmetric if -X = X (where -X = {— £ | £ € X}) 
and = for all (el 

Example 1: Let X = {0, ±715/5}, w(0) = 8/9 and 
w(±\/l5/5) = 5/9. Then a direct calculation can verify that 
(HJl holds for any F(t) of degree less than or equal to 5. Thus 
(X, uj) is a symmetric QS of order 3 and degree 5 in the sense 
of Definition [2] 

Now we give the aforementioned theorem on the one-to-one 
correspondence as follows, which will be proved in Appendix 

m 

Theorem 1: For each c, the c-ind bias distributions are in 
one-to-one correspondence with the symmetric QSs of degree 
c — 1. More precisely: 

• For a symmetric QS Q = (X, ui) of degree c — 1, define 
a probability distribution V(Q) by 



HQ) 



^ 2 'c^/r - e y j 

(see Section IH-DI for notation), where we put C = 

For a c-ind bias distribution V = {(??i,<?i) | 1 < i < k}, 
define a pair Q(P) = ({£i, . . . ,&}, w) by putting, for 

1< i < k, 



£i = 2pi - 1 and wfo 



y/pi(l-Pi)qi 

a 



where we put C =Y,i=i ^JPii 1 ~ vMil^- 
Then "P(Q) is c-ind, Q('P) is a symmetric QS of degree c — 1, 
Q(P(Q)) = Q and V{Q{V)) = V. 

Remark 2: Note that any symmetric QS of even degree 2d 
is also a QS of degree 2d + 1 by the definition of QSs. 
This fact corresponds to Proposition |4] via the one-to-one 
correspondence in Theorem Q] 

C. The Optimal c-Indistinguishable Distribution 

Among the c-ind bias distributions, in this subsection we 
determine the optimal ones for the purpose of reducing extra 
memory amount. Owing to PropositionH] we may concentrate 
our attention on the case when c is even. 

First, as we mentioned in the Introduction, the optimal c- 
ind distributions are precisely the ones with minimal number 
of possible outputs. By Theorem [T] such c-ind distributions 
correspond to the symmetric QSs of degree c— 1 with minimal 
order; thus our task here is to determine those QSs. However, 
in fact the solution of this problem has been given (in different 
terminology) as the following classical result: 

Theorem 2 (e.g. $3$, fiTTjl): For v > 1, let 

= i (i Y (f - ir 



2 v v\ \dt r 

be the j/-th Legendre polynomial normalized as L v (l) = 1. Let 
X be the set of zeroes of L v (t) (i.e. values x with L v (x) — 0), 
and put 

^ )= (i-(MF for(€l 

(see [3, Section 7.3.1, p. 316] for the expression of uj (£,)). Then 
Q v = (X,u>) is the unique symmetric QS of minimal order 



subject to the degree being 2v — 1; namely, it is a symmetric 
QS of order v and degree 2v— 1, while no other QS of degree 
2^—1 has order less than or equal to v. 

For instance, Q3 is the QS shown in Example [T] We refer 
to the QS Q u defined in this theorem as the Gauss-Legendre 
QS, or the GL QS in short, because of its deep relationship to 
the "Gauss-Legendre quadrature formula", that is a classical 
approximation method for integral (see e.g. ifTTl '). Now by 
combining Theorems [T] and [2] we determine the optimal 
bias distribution (which we refer to as the Gauss-Legendre 
distribution, or the GL distribution in short) explicitly as 
follows: 

Theorem 3: For v > 1, let 



L v (t) = 



(u 2 IT 



a polynomial in t of degree v. Then the unique optimal (2v)- 
ind distribution V = Vi v is given by 



C 



L v (p) = 0\ 



(p(l-p)) 3 / 2 V(p) 2 , 

(see Section IH-DI for notation), where C is the normalizing 
constant adjusting the total probability to 1. This V21/ has v 
possible outputs. 

The proof of this theorem will be given in Appendix ICl 
Table HIl shows the explicit GL distributions for small c, where 
the output values less than 1/2 are omitted by symmetry. 

Remark 3: By TheoremfJ] the optimal c-ind distribution V c 
has [c/2] possible outputs, therefore only [log 2 |~c/2]]-bits 
of memory are sufficient to record one value p^ (whenever 
a relatively small table of possible outputs of V c is held 
together). As we mentioned in the Introduction, some com- 
parison of the required memory amount between Tardos code 
and ours is shown in Table Q] above, where we put c = 2, 
N = 200 and e = lO" 11 in Case 1, and c = 4, N = 400 
and e = 10 -11 in Case 2. Here the code lengths of our 
codes are calculated by using a formula given in the next 
section; and we assume that outputs of Tardos's continuous 
bias distributions are approximated by using single-precision 
(4-bytes) floating-point numbers. The table shows that our 
optimal bias distributions in fact reduce the memory amount 
dramatically. Note that our optimal distributions require 4- 
bytes of memory or more to record one output in the (very 
impractical) case c > 2 32 + 1 = 4 294 967 297. However, 
for such c, the approximation of Tardos's distributions require 
much larger memory in order to attain comparable security. 

V. Code Lengths 

A. An Improved Formula for Code Lengths 

In this subsection, we improve the formula for code lengths 
and thresholds given in [6| to reduce code lengths. Also, we 
slightly modify the tracing algorithm to evaluate the effects 
of approximation of users' scores. Here we do not assume 
that the bias distribution V is the optimal one determined in 
the previous section, since it is generally inevitable in practical 
implementation to perform some approximation of the optimal 
bias distribution (cf. Table Hill. 
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TABLE II 

The optimal c-ind distributions V c 



c 


Lit) 


value 


probability 


2 


2(2t - 1) 


1/2 


1 


4 


8(6t 2 - 6t + 1) 


1/2 + V3/6 


1/2 


6 


48(2t - l)(10i 2 - 10* + 1) 


1/2 

l/2 + -yi5/10 


(20^ - 32)/93 
(125 - 20v / 10)/186 


8 


384(70t 4 - 140i 3 + 90t 2 - 20t + 1) 


1/2 + V525 - 70^/70 
1/2 + y/525 + 70^/70 


1/4 + (41-y/30 - 49v / 21)/12 
1/4 - (41v / 30 - 49v / 2T)/12 



Before stating our results, we prepare further notations (see 
also Section IH-Dl i. Let 6 > be a bound of approximation 
error of users' bitwise scores, and let [/, be an approximated 
value of <r(pi) for < i < k; namely \U{ — <r(pi)\ < S. Let 
1Z be a positive value such that 



Theorem 4: Choose the code length m and the threshold Z 



1Z < min TZi t> , 

\<£<c 



(5) 



and let ipx,tp2 > be approximated values of a(po) such that 
^1 < cr(Po) < ^2 • (6) 

Let 771 , 772 > be two positive parameters, and let X\,x% > 
be two positive values such that 



Xir{xi) < riiTlipi/c , for i = 1,2 



(7) 



Note that tr(t) is an increasing positive function for t > 0. 
Note also that the code length given by our formula below 
will be reduced as the inequalities ©, © and © are getting 
stricter. Moreover, choose values A\ and A2 so that, for i = 
1,2, 



Ai > 



V>2, 1 

— log— , 



(8) 



(1 — 771 — r]2/c)7i — 25c Xi e 

where e\ and 62 are given security parameters related to the 
tracing error probability. Note also that the code length will 
be decreased as the inequality © becomes stricter. 

Now we define an "approximated version" of the tracing 
algorithm by the following modification: 

Definition 3 (approximated tracing algorithm): We modify 
the tracing algorithm given in Section IH-BI as follows. First, 
the approximated score 5, of i-th user Uj is calculated by 

Si = E7=i £P> where 



s. 



-U k -> 





if (Vj 



uu 



i) 



(1,1) 

(1,0) 



if % e{0,?} 

,0') 



with the index Vj defined by p^) = p v .. (Note that \Si — 
Si\ < mS where Si denotes the true score of Uj.) Then our 
approximated algorithm outputs all users whose approximated 
score satisfies that Si > Z. 

Remark 4: Note that the original tracing algorithm is re- 
covered when we take U v = o-(p v ) for every v. 

Now sufficient code lengths and corresponding thresholds 
with respect to the approximated tracing algorithm are de- 
termined by the following theorem, which will be proved in 
Appendix [D] 



by 



m = A 1 + A 2 , 

'-((i-^t-'M 3 ? 



5 Ua 



(9) 
(10) 



(see above for choices of the auxiliary values), and let N 
denote the total number of users. Then for the approximated 
tracing algorithm given in Definition [3] the false-positive 
probability is less than 1 - (1 - ei)^ 1 (< (N - l)ei); and 
the false-negative probability is less than 62- Hence the total 
tracing error probability is bounded by (N — l)ei + £2, which 
becomes e if we set e\ — £2 = e/N. 

Remark 5: Even if the value Ri tX or 1Zij> is not explicitly 
representable on a computer's numeric system, all values 1Z, 
tpi and Xi can be chosen as being explicitly representable. 
Moreover, A\ and A2, therefore the resulting code length, can 
be chosen from integers. 

Here we propose the following choice of parameters 



(771,172) = (1/2, VH/2) 



(ID 



to reduce the code length. On the other hand, the original 
formula in O can be recovered by putting 5 = 0, f]\ = 1/4 
and 772 = c/2 and by letting all of ©, ©, © and © be 
equalities. 

Remark 6: Although it is somewhat complicated to com- 
pute the explicit GL distribution for large c, we can determine 
values 1Z, ipi and ip2 in © and © by using inequalities 
([12] |. ( TJlT ) and (|32]l which will be given in Section IV-BI and 
Appendix |Gj thus we are still able to derive some upper 
bounds for the code lengths even in such cases. Namely, if 
we put (5 = 0, then a sufficient code length m making the 
code c-secure is calculated from the above values 1Z, ipi and 
%j)2 as m = A[c 2 log(l/ei) + A' 2 c 2 log(l/e 2 ), where 

A' = 



(1 - m - Wc)(c+ l> i tan(ji/ A /(e+ l) 2 +4) 

for i = 1,2 (see Section [V-BI and Appendix iGl for definitions 
of ji and a' 2 )- By choosing security parameters ei = £2 = 
e/N as in the last statement of Theorem [4] the percentage 
of our code length m relative to the length 100c 2 [log(AT/e)] 
of Tardos code is bounded by A[ + A' 2 . Figure Q] above is 
thus obtained by plotting the values A[ +A' 2 , where the lower 
and the upper curves correspond, respectively, to our choice 
(fTTT l of parameters and the parameters (771,772) = (1/4, c/2) 
recovering the code length formula given in ©. 
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B. Asymptotic Behavior of Code Lengths 

In this subsection, we investigate properties of the GL 
distributions V = V c with c even and the asymptotic behavior 
of the corresponding code length determined by our formula 
in the limit c — > oo. Proofs of results which are omitted here 
will be demonstrated in the Appendices. 

First, we show the following bound and asymptotic behavior 
for the values IZi v , whose proofs will be given in Appendix 

IB 



Proposition 6: We have 



> 



1 



for all 1< I < c 



(12) 



,Tll tVc = 1/tt for all £ > 1. 



and lim c 

Secondly, we are also able to show an asymptotic behavior 
of the value <r{po). Here we define j\ to be the small- 
est positive zero of the Oth-order Bessel function Ja(t) = 

X;^ (-1) 4 (V 2 ) 2 V(« ! ) 2 of the nrst kind ; it is known that 
ji = 2.404 82 • • •. Now the asymptotic behavior of a(po) is 
given as follows, which will be proved in Appendix iGl 

Proposition 7: We have lim^oo a(po)/c = 1/ j\. 

From now, we investigate the asymptotic behavior of the 
code length corresponding to V c . Here, for simplicity, we 
put 5 = 0, let ©, ©, © and © be equalities, and 
choose parameters 771 and 772 so that Hindoo r\\ = r\ with 
< 7] < co, lim c ->oo 772 = 00 and lim^oo 772/c = r/' with 
< 77' < 00. Moreover, we assume for a technical reason that 
log(l/£2)/log(l/ei) does not diverge to 00 when c — > 00. 
Then we have the following result, which will be proved in 
Appendix [H] 

Theorem 5: Under the above assumptions, the code length 
given by © is asymptotically 

1 



log — when c — » 00 



(1 - T) - T/jJl^oo " £1 

where rc^ is the unique positive value determined by 
Xocrixoo) = rj/(nji). 

By applying this theorem to our proposal ( fTTT i of the 
parameters 771 and 772, we obtain the following result: 

Theorem 6: Put (771,772) = (1/2, -y/c/2) and assume that 
log(l/s2)/log(l/£i) does not diverge to 00 when c — > 00. 
Then our code length is less than 20.6021% of that of Tardos 
code for any sufficiently large c. 

Proof: In this case, we have 77 = 1/2 and 77' = 0. By 
using the relations 3.14159 < tt < 3.14160 and 2.404 82 < 
ji < 2.404 83, we have 



D r(x c 



{2nj 1 y 1 > 0.06618 



therefore it follows that Xoo > 0.126 82 (recall that tr(t) is an 
increasing function on t > 0). By these data and Theorem [5] 
the percentage of our code length relative to Tardos code is 
asymptotically 

3.14160 



< 



< 20.6021 



(1 - 77 - ri')j lXoo " (1/2) • 2.404 82 • 0.126 82 

Thus the percentage is less than 20.6021% for any sufficiently 
large c. ■ 
A similar argument can be used to show that the asymp- 
totic percentage is slightly less than 80.7028% when we use 



the parameters (771,772) = (1/4, c/2) corresponding to the 
formula in (6); in this case, we have r\ = 1/4, rf = 1/2, 
Xacr(Xoc) = (47rji)" 1 > 0.033 09 and Xoc > 0.064 75. Thus 
the asymptotic behavior of our code is much better not only 
compared to Tardos code but also to 0. 

C. Numerical Examples 

Here we give some numerical examples of our code lengths 
and related parameters. We use the bias distributions given 
in the first part of Table [TTH which approximate the GL 
distributions, with c e {2,4,6,8}. We choose approximated 
bitwise scores Ui as in the second part of Table [TTTJ with 
approximation error 8 — if c = 2 and 8 — 10~ 5 if 
c e {4, 6, 8}. Then Table [IV] gives corresponding values of 
72., ipi, ipz, x\, X2, A\ and A%, where we put E\ — £2 = e/N, 
N = 100c, e = 1CT U , 771 = 1/2 and 77 2 = y/c/2. Now 
by © and (Qj)}, 

we obtain the resulting code lengths m 
and thresholds Z as in Table iTVl where the row '%' shows 
percentages of our code lengths relative to Tardos codes. 
On the other hand, based on results in Section IV-BI further 
comparison of our code lengths with those of Tardos code is 
given by Table [V] where we put £1 = £2 = e/N, N = 10 9 
and £ = 10~ 6 . 

TABLE IH 

Bias distributions V and approximated scores 



c 


V 


1 


c 


P 


q 


2 


0.500 00 


1.000 00 


8 


0.069 43 


0.248 33 


4 


0.21132 


0.500 00 




0.330 01 


0.25167 




0.788 68 


0.500 00 




0.669 99 


0.25167 


6 


0.112 70 


0.332 01 




0.930 57 


0.248 33 




0.500 00 


0.335 98 








0.88730 


0.332 01 







c 


U 


C/l 


U 2 


u 3 | 


2 


1 








4 


1.93187 


0.51763 






6 


2.805 90 


1 


0.356 39 




8 


3.66101 


1.424 85 


0.70182 


0.27314 | 



These examples show that our result in this paper indeed 
reduces the code lengths. 

VI. Remarks on Recent Related Works 

At the time when the preliminary version of this paper 
was written, our code lengths given in Section [V] were to 
our best knowledge the shortest among known c-secure codes 
(at least for c > 4). After that, some recent works Q, JU, 
J3, ifTUl on Tardos code have succeeded to reduce the code 
lengths, by strictly improving the evaluation of tracing error 
probabilities and slightly modifying some parameters or even 
the tracing algorithm itself; their new code lengths are in 
fact shorter than ours. However, in their works, the problems 
such as large memory amount and impossibility of explicit 
implementation, mentioned and solved in this paper, are not 
concerned. For instance, their schemes still use continuous bias 
distributions but they did not show suitable ways to implement 
or approximate their continuous distributions for practical use. 

Therefore, these recent results do not completely supersede 
the work in this paper, in particular, the most significant part 



x 



TABLE IV 

Auxiliary values, lengths and thresholds for the example 





c 


2 


4 


6 


8 




AT 


onn 
zUU 


/inn 
4UU 


f?nn 
OUU 


onn 
oUU 


Tardos 


n 


12 400 


51 200 


115 200 


211 200 




n 


0.5 


0.408 


0.377 


0.362 






1 


1.931 


2.805 


3.661 




1p2 


1 


1.932 


2.806 


3.662 




XI 


0.231 


0.184 


0.166 


0.155 




X2 


0.315 


0.347 


0.377 


0.406 




A 1 


3622 


12 907 


28 878 


51783 




A 2 


2656 


6843 


12 716 


19 769 


Ours 


n 


6278 


19 750 


41594 


71552 




% 


50.6 


38.6 


36.1 


33.9 




Z 


917.3-- 


1336.317 86 


1843.450 24 ■ ■ ■ 


2375.914 48- ■• 



TABLE V 

Another comparison of code lengths for N = 10 9 and e = 10~ 



c 


4 


8 


16 


32 


64 


— > oo 


Tardos 


5.60 x 10 4 


2.24 x 10 5 


8.96 x 10 5 


3.58 x 10 s 


1.43 x 10 7 


100% 


Ours 


2.18 x 10 4 


7.72 x 10 4 


2.78 x 10 5 


1.01 x 10 6 


3.75 x 10 6 


20.6% 



regarding reduction of extra memory amount. In fact, these 
results show that there remains a room for reducing the length 
of our code. Indeed, we would like to announce that our 
recent successive study has achieved code lengths even shorter 
than the abovementioned works, by using (approximation of) 
the GL distributions, improving our tracing algorithm, and 
tightly evaluating its tracing error probability. The details of 
the successive result will be presented in a forthcoming paper. 

VII. Conclusion 

We have discussed the problems of Tardos's fingerprinting 
code [12 1 regarding its practical use, such as large required 
memory and impossibility of explicit implementation, mainly 
due to continuity of probability distributions used in its 
codeword generation. We investigated the finite probability 
distributions used in the preceding improvement 1 6 1 of Tardos 
code, and determined the optimal distributions for the purpose 
of reducing memory amount. As Table U shows, the memory 
amount is indeed reduced dramatically by our result. We 
also reduced the code lengths significantly by improving the 
formula of code lengths given in |6|; and evaluated effects 
of approximation on security performance of our codes in a 
practical setting. 
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Appendix A 
Proofs of Results in Section I"IV-AI 

Here we give the proofs of our results in Section IIV-AI 
Proof of Proposition [2} First, the following property is 
easily derived from (0: E p [fe,e- x (pj\ > for all 2 < £ < c 
and 1 < x < £ - 1 if and only if E p [ft,x{p)\ < for all 
2 < £ < c and 1 < x < £ — 1. Thus the first claim follows 
from Remark Q] The other claims are also straightforward by 
©. ■ 
Proof of Lemma Q} First, an elementary analysis shows 

that 

9iAP) = ^(P X ( 1 -P) e ~ X ) > (13) 
therefore the second claim follows from the equality 

P x {\ - P f~ x + P x+1 {\ - pf-*- 1 = p x (l - pf^ x . 

Now the first claim is also derived from the relation fg, x (p) = 
9i,x{p)\fp(l ~p)- ■ 
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Proof of Proposition By the assumption on V, we 
have lZi y -p = E p [—fe,o(p)] for any 1 < £ < c. Thus Lemma 
0infers that 7Zi y -p —TZg-x^ — E p [fi,i(p)] for any 2 < £ < c, 
therefore we have IZe^-p—lZg-i.-p = by Proposition0 Hence 



E n 



Proof of Lemma 



P) 



as desired. 



We have E p (p)] 



E, 



P [fi',x'{p)] 



Ep [fl',x'+\{p)\ by Lemma [U thus all of the 
three terms become zero whenever any two of them are. ■ 
Proof of Proposition® Since V is c-ind, Proposition 
infers that 01 is satisfied for all parameters of the form (£, x) 
with 2 < £ < c and for (c + l,xo)> where xo = (c + l)/2. 
Thus by Lemma [2] and induction on v, it follows for all v 
that 0) is satisfied for parameters of the form (c+ 1, Xq ±v). 
Hence V is (c + l)-ind by Claim 1 of Proposition [2] ■ 
Proof of Proposition^ By Proposition it suffices for 
both of the two claims to prove that V is c'-ind. 

First, we argue the claim 1 . By the assumption and Claim 3 
of Proposition0 the condition 01 is satisfied for all parameters 
(d , x) with 1 < x < d — 1, therefore Lemma |2] infers that it is 
also satisfied for all parameters (d — 1, x) with 1 < x < d — 2. 
Similarly, it is inductively derived that 01 is satisfied for all 
parameters (£, x) with 2 < £ < d and 1 < £ < £ - 1. Thus V 
is c'-ind by Claim 1 of Proposition 

Secondly, we prove the claim 2. The assumption and Propo- 
sition infer that V is [d — l)-ind, thus 0) is satisfied for 
all parameters (d — l,x) with 1 < x < d — 2. Since 0) is 
satisfied for the parameter (d,xo) in the statement, the same 
argument as Proposition shows that (0 is also satisfied for 
all parameters (d,x) with 1 < x < d — 1. Hence V is c'-ind 
by Claim 1 of Proposition ■ 

Appendix B 
Proof of Theorem[T] 

Here we give the proof of Theorem First, we show that 

V = V(Q) is a c-ind bias distribution for any symmetric QS 
Q of degree c — 1. A straightforward calculation can show that 
this V is indeed a finite probability distribution; the outputs of 

V lie in the interval (0, 1) since X is a subset of the interval 
(—1,1); and V is symmetric since Q is symmetric. Thus the 
remaining task is, by Claim 2 of Proposition to show that 
E p [fi.i(p)} — for all 2 < £ < c. Now recall the relation 
fe,i(p) = Vp( 1 -P)ae,i{p)- Since g iA is a polynomial of 
degree £ — 1 (< c — 1), we have 



Ep [Vp0--P)9t,i(p) 



"(0 



1 + i 



2C 7-i 5 ° I 2 
1 f 1 

— y ^,1(2) dz 



dt 



(14) 



(15) 



(here ( [T4T i follows since Q is a QS of degree c — 1, while (fT3b 
is derived from (TO])). Thus T^Q) is c-ind. 

Secondly, we show that Q — Q{V) is a symmetric QS of 
degree c— 1 for any c-ind distribution V . The set X is included 
in the interval (—1,1) since < pt < 1 for all i, while Q is 
symmetric since V is symmetric. Thus the remaining task is to 
show that J_j F(t)dt = J2^x f «r any polynomial 

F(t) of degree less than or equal to c — 1. Now observe that 
any such F(t) can be expressed as a linear combination of 
the polynomials 3^,1(^4^) °f degree £— lfor2<f<c and 
a constant polynomial 1, while J^i^i^i) = 2 = J , 1 (it by 
definition. Thus it suffices to show the above claim only for 
F(t) — gt.\{^-) with 2 < I < c. For this claim, we have 



c 



91,1 



l + t 



dt = 2C gt,i{z)dz 



= 

= E, 



[s/pi 1 -p)9e,i(p) 



(16) 
(17) 



i=l 



i+e, 



(here ( TToT ) is derived from ( TOI ). while ( TTTb follows from Claim 
1 of Proposition 01. Thus Q^) is a symmetric QS of degree 
c- 1. 

Finally, since J^^ex ^(0 = 2 an d J^i Qi = 1> a straightfor- 
ward computation can verify the relations Q(T > (Q)) = Q and 
'P(Q('P)) = V. Hence the proof of Theorem is concluded. 

Appendix C 
Proof of Theorem^ 

Here we give the proof of Theorem Put 

L„(t) = L u (2t - 1) , 

which is proportional to L v . First, note that L v (}-^) = 
if and only if £„(£) = 0, thus the set of outputs of V c = 
V{Q,v) with c = 2v is (by definition) the set of zeroes of L v , 
which coincides with the set of zeroes of L v and consists of v 
elements (see Theorem 0. Now note that 1 — £ 2 = 4p(l — p) 
if p= (1 + 0/2, while 



dt 



L v (t) 



t=ip-\ 



d ? (l + t 



1 d T U\ 

2 du L » {u) 



t=ip-\ 



u=(l+t)/2. 



t=1p-\ 



C'lAp) , 



u—p 



where C" is some constant. Thus the probability of V c taking 
the value p = (1 + £)/2 with £ e X is 

^(0 = 2 

1 



4CC" 2 (p(l-p)) 3/2 ^'(p) 2 ' 

Hence the claim follows, since the factor 1/(4CC" 2 ) above 
is common for all p, concluding the proof. 
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Appendix D 
Proof of Theorem|4] 

Here we give the proof of Theorem |4] by evaluating the 
probabilities of false-negative and of false-positive. This will 
be done by basically the same argument as [6] except for some 
slight modifications. 

In what follows, let X\ and x 2 be two positive parameters, 
and put a — Xi/a(po) and j3 — x 2 /(ca(p )). Before 
giving our proof, we recall the following fundamental tool 
in probability theory which is used in our argument (as well 
as in ]6)): 

Lemma 3 (Markov's Inequality): Let Y be a finite positive 
random variable and t > 0. Then we have 

Prob{Y > t) < and Prob{Y >t)< , 

where E [Y] denotes the expected value of Y, 

Now we give the following proposition, which is a slight 
modification of (6] Lemma 1] and which concerns the false- 
positive probability of our code: 

Proposition 8 (cf. Lemma 1]): Let ui be an innocent 
user. For any fixed P = (pW, . . . ,p( m )), any fixed y = 
(yi, ■ ■ ■ , Dm) an d an Y t > 0, we have 



Prob(Si > t) < e 



r{x\)<x rri—od 



(18) 



where the probability is taken over the codewords of u; chosen 
according to the P. 

Proof: The proof is almost the same as that of El 
Lemma 1], except for some differences explained below. 
First, [6, Lemma 1] showed an inequality similar to ( fT8l 
for the probability Prob(St > Z) under the assumption that 
aa(po) < x\ (note that x\ is simply denoted by x\ in [6]); 
however, the same proof is actually able to prove the same 
inequality for a slightly larger probability Prob(Si > Z) under 
the weaker assumption that aa(po) < i\. This follows from 

9 2 

the observation that the bound 1 + r\or < e ria used in 
the original proof is indeed a strict inequality. Secondly, (6] 
Lemma 1] was originally proved only when Z is the threshold, 
however a careful reading of the proof can reveal that the 
property of Z being the threshold is not used in there; therefore 
that proof is still valid even if Z is just an arbitrary positive 
parameter. Now our claim follows by combining these two 
observations. ■ 

Remark 7: The proof of [6 Lemma 1] is still valid (so 
is that of the above proposition) even if y is an arbitrary 
codeword with yj £ {0,1,?} which need not satisfy the 
Marking Assumption, only the required property of y is that 
it is independent of the codeword of Ui (see Assumption |2J. 

On the other hand, the next proposition, which is a slight 
modification of (6] Lemma 2], concerns the false-negative 
probability: 

Proposition 9 (cf. fi(j\ Lemma 2]): Let m, . . . , ui be the pi- 
rates with I < c, and t > 0. Then for any fixed pirates' 
strategy, we have 



E 



-"EL* 



< e 



f3(cf3r(x2)—TZe t 'p)m 



where the expected value is taken over all P, all codewords of 
pirates and all y, which are chosen according to V, P and the 
pirates' strategy, respectively. Hence by Markov's Inequality, 
we have 

Prob{S l < t for all i) < Prob ^ S l < £tj 



< Prob(eT p ^i Si > 



-ptt 



< E 



/e 



-pet 



< e 0(c/3r(x 2 )-n e:V )m+tm 

Proof: The proof is basically the same as [6, Lemma 2]; 
it also works in our situation by noticing the following points 
only. First, the original proof allows the pirates' strategy to be 
probabilistic, though it was not clarified. Secondly, although 
(6) only considers the restricted case that y contains no bit 
'?', an argument appeared in [12] can generalize the proof in 
[6 1 to our situation where y may contain '?'. ■ 
Now we start to prove Theorem @] First, recall that in 
the approximated tracing algorithm given in Definition [3] a 
user is outputted if and onh/ if S > Z where S denotes the 
approximated score. Now S > Z infers S > Z — mS and 
S < Z infers S < Z + m8 by definition of 6; thus to achieve 
Prob(ui is outputted) < ei, where Ui is an arbitrarily fixed 
innocent user, and to achieve Prob(no pirate is outputted) < 
£2 as well, it suffices to satisfy the following two bounds 

Prob(S > Z - m8) < e 1 , (20) 
Prob(Si < Z + m5 for all i) < e 2 , (21) 

where S denotes an arbitrarily fixed innocent user's true score 
and Si,...,Si (with I < c) denote the I pirates' true scores. 
Now by Propositions [8] and |9l the following conditions yield 
CH> and (ED: 

r(xi)a 2 m — a(Z — mS) < log£i , 
(3{c/3r{x 2 ) - Ht,v)m + f3l(Z + mS) < loge 2 ■ 

Moreover, since the values m, Z, (3 and 5 are all nonnegative, 
the following conditions 

r(xi)a 2 m — a(Z ~ mS) — logei , (22) 
(3{cf3r(x 2 ) - K)m + (3c{Z + mS) = loge 2 (23) 



also yield (1201 and d2Tb . Now if we solve equations 
and d23b in m and Z, where i\ and x 2 are determined 
by Xir(xi) — a(po)rjiR./c for i = 1,2 and a and j3 are 
determined as above, then the code length m and the threshold 
Z are given by 



cajpa) ( 1 , 11, 1 
m = — 7r - — log — + — log — 

C \x\ £1 x 2 e 2 



(24) 



(where C = (1 — 771 — rj 2 /c)lZ — 28c) and 

a(p ) ( (1 - rr 2 /c)K - 6c 1 + Sc. 1 



(19) 



Z = ( ^ ■-!->■- — _ log h _ log . 

C \ x\ ei x 2 e 2/ 

(25) 

which generalize the formula in f6| (the original is recovered 
by putting r]\ — 1/4, r\ 2 = c/2 and 5 — 0). Moreover, if we 
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take the values ipi, x$ and Ai (i = 1,2) as in Section [V-AI 
and determine the modified code length fh and threshold Z 
by 



b' b' 

is uniform; it follows that f , gi{x) dx — > J* , /(x) when 
z — > oo by Lemma [6] Therefore there is an index n such that 



fh = Ai + A 2 

Z = 



fix) dx 



(26) 



5 ) Ai (27) By combining (I28t and (129t . we have 



dx < — for any i > n . (29) 



then by comparing the pair of d24l > and d25l l with the pair of 
( |26l > and J271 , we can show that conditions < f20b and ( f2TT > are 
satisfied with e$ replaced by e~ ki where 

C 



k,= 



-XiAi for i = 1, 2 



C(x(p ) 

Since ^2 > °'(Po) an d 2^ < £j (* = L 2) by definition, we 
have e _,Ci < e< by the choice of j4,-. Thus the code length m 
and threshold Z, which are precisely those chosen in Theorem 
[4] (see (O and (fTUIl). provide the desired security performance. 
Hence the proof of Theorem [4] is concluded. 

Appendix E 
A Lemma for Proof of Proposition |6] 

Here we prepare the following well-known fact in elemen- 
tary analysis, which will be used in the proof of Proposition 
[6] given in Appendix 10 

Lemma 4: Let {f n }^Li be a sequence of nonnegative con- 
tinuous functions on the same open interval I = (a, 6), 
whose sum YlnLi /« converges to a continuous func- 
tion / at every point in I. If all of the improper inte- 
grals f f n (x)dx and J f(x)dx exist and converge, then 

lim„^oo f a E"=i fi( x ) dx = la f( x ) dx - 

From now, we give a proof of this result for the sake of 
completeness. In the proof, we use the following two facts, 
which can be found in most of undergraduate textbooks of 
elementary analysis: 

Lemma 5 (Dini's Theorem; see e.g. (Q\ p. 151]): Let I = 
[a, b] be a closed interval, and let {gi]°^ 1 be an increasing 
sequence of continuous functions g^ on I which converges 
to another continuous function g at every point in J; i.e. 
gi-i(x) < gi(x) — » g(x) when x € I. Then the convergence 
is uniform; i.e. for any e > 0, there is an index n such that 
\g(x) — gi(x)\ < e for every i > n and x E I. 

Lemma 6 (see e.g. I\2\ Theorem 10.5]): Let {gi}°°^ 1 be a 
sequence of continuous functions on the same closed interval 
I = [a,b] which converges uniformly to a function g on I. 
Then gi(x) dx converges to g(x) dx when i — > 00. 

Now we start to prove Lemma |4] First, note that the 
function / is nonnegative on I by the assumption. Then, given 
an arbitrary e > 0, the assumption on convergence of the 
improper integral J a f(x) dx infers that 



J f{x) dx - j f{x) dx<j (28) 

for some a < a' < b 1 < b. Now by the assumption, the 
sequence {gi}°^ 1 defined by g^ = X)L_ x /„ is an increas- 
ing sequence of continuous functions on the closed interval 
/' = [a 1 , b 1 ] which converges to the continuous function / at 
every point in I'. Thus Lemma [5] infers that the convergence 



< 



< 



< 



fix) dx 



fix) dx 



gi(x) dx 



giix)dx < 



for any i > n (note that < gi < f for each i). This means 
that J a giix) dx converges to J a fix)dx when i — * 00, as 
desired. Hence the proof of Lemma [4] is concluded. 

Appendix F 
Proof of Proposition[6] 

Here we give the proof of Proposition [6] First, let Q n = 
iX n ,oj n ) denote the Gauss-Legendre QS of order n (see 
Section IIV-CI for definition), therefore the set X n consists of 
n zeroes of the Legendre polynomial L n (t). In our proof of 
Proposition [6] we use the following result, which is directly 
derived from the latter part of Inequality (2.18) in [4, Corollary 
1] by choosing the parameter A = 1/2: 

Lemma 7 (]4. Corollary 1]): We have 



< 



1/2 



for all n > 1 and all £ S X n . 

Now we start the proof of Proposition [6] Recall that c is 
now assumed to be even; put c = 2n. First, by combining 
Proposition |3] and Theorem [T] we have 



E P [VpJ 



1-p) 



E 

E ^ = c~ n . 



where C„ = J2^ex n ^niO/V^- ~ £ 2 - N° w Lemma |7] gives 
us that C n < rm/{n + 1/2) = C7r/(c + 1), thus the former 
claim follows. 

For the proof of the latter claim, it suffices to show that 



L n — >oc 



7r. Now it follows that 

f 2i 



E- 

At 



71 — 1 

< 2i > y - 

— /L^i 41 

t=0 



for — 1 < t < 1, therefore we have 



n— 1 _^ 



— >c n > 

„1 n—l 



1 (2i 



~ L i=0 



t 21 dt 



(30) 



(here (f30b follows from the fact that the QS Q n is of degree 
2n — 1). Now owing to Lemma [4] in Appendix [E] with 
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/ = (-1, 1) and fi(t) = A- l ( 2 'i)t 2 \ the value (O converges 
to = I-ii 1 ~ *t 2 y 1/2 dt = tt when n ^ oo, 

while rnr/(n + 1/2) also converges to tt. Thus we have 
linin^oc C n = tt, as desired. Hence the proof of Proposition 
[6] is concluded. 

Appendix G 
Proof of Proposition!?] 

Here we give the proof of Proposition Q First, we define 
6 n to be the unique value such that < 9 n < tt and — cos 9 n 
is the smallest zero of the Legendre polynomial L n (t) (recall 
that the zeroes of L n (t) lie in the open interval (—1, 1)). Then 
we have the following result, which will be used in the proof 
of Proposition [7] 

Lemma 8 fjj5] p. 264]): For any n, we have 



^{n + 1/2) 2 + a 2 



< 



< 



+ 1/2)2 + 



a i 



where a\ = 1/12 and a 2 = 1/4 — I/71- 2 . 

From now, we prove Proposition [7] First, by the definitions 
of po and 8 n , Theorem Q] infers that 



1 — cos ( 



Po = 



= sin 



2 2 ' 

therefore a(po) = 1/ tan(6*„/2). Thus by Lemma [8] we have 
1 



tan(ji/V(c+l) 2 + ai) 

< 



< o"(Po) 



1 



(31) 
(32) 



tan{ji/y/(c+l) 2 + a' 2 ) 

where o! i = Aai (namely a[ = 1/3 and a' 2 = 1 — Att~ 2 ) 
Moreover, an elementary analysis gives us 

1 



:tan(j 1 / N /(c+l)2 + ^) 



s(ii/#+l) J + a{) i!/V(c+l) 2 + ^ 



i!/V(l + l/c) 2 + aJ/c2 sinOWCc + l^+O 

for i = 1,2, which converges to 1/ji when c — > 00. Hence 
the claim of Proposition [7] follows, concluding the proof. 

Appendix H 
Proof of Theorem[5] 

Here we give the proof of Theorem First, we have 
1Z = lZi,-p — > 1/tt by Proposition |6] (see also Proposition 
|3]l and c~ 1 a(po) — > by Proposition |7] when c — > 00. 
Thus the parameter xi, which is determined by x\r(x\) = 
rjiTZa(po)/c, converges when c — > infty to given in the 
statement (note that the continuous function fr(£) is strictly 
increasing for t > and its image is the whole infinite 
interval (0, +00), therefore such i M is uniquely determined). 
Similarly, the other parameter x 2 converges to 00 when 
c — ► 00, since X2r(x 2 ) = rj 2 TZcr(p )/c — > 00. Now by (O, 
we have 

rn 



: log(l/ei 



1 



o"(po) 



^(1-%-^c- 1 ) 



1 



log(l/e 2 ) 
x 2 log(l/ei) 



while the above argument shows that 
vn l-r]-r]' 



and 



1 

ii 



TT C 

when c — » 00. Moreover, by the assumption on value 
log(l/e 2 )/ log(l/ei) we have that 

log(l/e 2 ) 



x 2 log(l/ei) 



when c — > 00 



Thus we have 



rn 



C 2 l0g(l/£i) (1 - T] - TJ^jxXoo 

therefore the claim follows. Hence the proof of Theorem [5] is 
concluded. 



